Data networks are widely used to allow fast communication between end-stations (e.g., computers), within organizations and between organizations. Data networks are generally packet based networks which, unlike switched networks, do not establish a unique physical link path between a source and destination. Rather, the messages passed between the end-stations are encapsulated in packets which carry destination addresses (e.g., IP addresses and MAC addresses). Switches and/or routers along the network direct the packets to their destinations based on the destination addresses.
In many cases, a message or a sequence of related messages (e.g., a data file or a video movie) transmitted between computers is encapsulated within a plurality of packets which carry the same addressing information. These packets are referred to as belonging to a single session. In many cases, while a message is being transmitted from a source computer to a destination, the destination transmits responses to the source computer. In the terminology of the present application, the transmissions from the source to the destination and from the destination to the source belong to two different sessions which together form a two-way session.
Within some local area networks (LANs), packets are forwarded by layer-2 switches based on their MAC addresses in what is referred to as layer-2 switching. In layer-2 switching, frames are passed between physical ports of the switches without changing the MAC addresses of the forwarded frames. When packets are passed between LANs (or VLANs), the packets are forwarded by routers in what is referred to as routing or layer-3 switching. The routing action generally includes changing the source and destination MAC addresses of the frame, usually based on the IP destination address of the frame, and reducing the value of a time-to-live (TTL) field of the frame by at least one. It is noted that in some cases routing is performed also within a LAN. Some switches, namely layer-3 switches, perform both layer-2 and layer-3 switching.
In the following description and in the claims, the term layer-2 switching refers to the complete forwarding of frames (bridging function) by a switch and does not include partial operations performed by switches during, and as part of, layer-3 switching (routing function).
Many routers and switches include fast paths, generally implemented in hardware, through which some packets, e.g., packets belonging to sessions from which other packets have recently been forwarded, are speedily forwarded.
FIG. 1 is a schematic illustration of frames 40 commonly used in packet based networks. As is known in the art, most frames 40 which pass through data networks comprise an IP packet 42 and a link layer header 44. IP packet 42 is formed of a layer-4 packet 45 and an IP header 46 which includes among other fields, a type of service (ToS) field 47 (a portion of which is referred to also as a different service code point (DSCP) field), a time to live (TTL) field 49, a protocol field 48, a source IP address field 50, and a destination IP address field 52. Layer-4 packet 45 usually includes a payload 54 and a protocol header, e.g., a TCP header 56. TCP protocol header 56 includes, among other fields, a source port field 58, a destination port field 60 and ACK, FIN and SYN bits 63, 64 and 62, respectively. Generally, TCP and UDP sessions are defined by the values of protocol field 48, source IP address field 50, destination IP address field 52, source port field 58, and destination port field 60.
Network connections between computers, although very important, carry with them the danger of unauthorized entrance through the network to computers which hold sensitive information. Many IP routers and layer-3 switches, check packets on which they perform layer-3 switching for adherence to security rules. Generally, the security rules are preprogrammed by a network manager of the network including the router or switch. Packets which do not adhere to pre-programmed security rules are logged and/or discarded in order to prevent, for example, illegal intrusion to computers or other end-stations of a LAN from computers external to the LAN. This behavior is referred to as access control.
In many cases, small and medium size organizations connect their computers such that some of the frames passing between computers of the organization do not pass layer-3 switching. In some organizations, when access control is required within the organization, for example to prevent a worker from a first department to access classified information from other departments, separate local area networks (LANs) connect the end-stations of the different departments. The LANs of the different departments may be connected through a router or layer-3 switch which performs access control. This method, however, requires additional wiring and switches. Alternatively, different virtual LANs (VLANs) are defined for the different departments. Alternatively or additionally, the computers of different departments are defined as belonging to different IP sub-nets, thus forcing the packets passing between sub-nets to pass through a router. In some cases, the passage of the frames through a router or layer-3 switch slows down the communication between computers not included in the same LAN or VLAN. Also, the wiring and/or VLAN setting requires much work from a network administrator.
Many organizations use, in addition to the access control performed by their routers and/or layer-3 switches, a firewall which is usually a software program which checks packets for adherence to more stringent security rules than those implemented by routers and switches. The firewall usually runs on an edge-router at the entrance to an organization or on a dedicated processor sometimes referred to in itself as a firewall.
Layer-3 switches also perform tasks other than access control which go beyond the routing of packets. These tasks, referred to as policy enforcement, generally differentiate between frames based on arguments different than used for forwarding. The policy enforcement tasks include, but are not limited to, access control, determining a quality of service (QoS) of packets and handling different packets according to their tagged or determined QoS, counting packets belonging to certain sessions (and/or having certain additional characteristics), and passing specific frames to a sniffing station in addition to their forwarding to their destination.
In some cases, the policy enforcement refers to information in IP header 46 and/or the UDP/TCP header 56 of the packets, for example the source and destination IP addresses and ports and the protocol field 48 of the packet. Alternatively or additionally, the policy enforcement refers to the VLAN to which the frame belongs and/or the physical port through which the frame was received.
Some layer-3 switches, such as the Cajun P550 switch available from Lucent Inc., and the GaINet-3 architecture family, available from Galileo, implement policy enforcement in their fast path. One type of these routers includes a large control table in which each transmission session has a respective entry, which lists the policy rules of the session. Frames which do not have an entry in the control table are passed to the processor which determines their policy based on preprogrammed rules and prepares an entry in the control table accordingly. This type of switches usually requires a control table with thousands (even tens of thousands) of entries which makes the routers more expensive than other routers. Also, the speed of operation of the fast-path of the router may be affected by the size of the table.
Other switches, such as the Cajun M770 M-MLS and the Cajun M400 3LS which are available from Lucent Inc., maintain sophisticated hardware data structures which perform access control frame filtering. The sophisticated hardware data structures implement the access control rules as programmed by the network manager of the switch.
Some layer-2 switches perform simple security checks at the level of layer-2, for example, they check whether the frames they receive are from end-stations or other network elements to which they are allowed to be connected.
In addition, some layer-2 switches, such as the Catalyst 3524XL and the Catalyst 6500 described in /www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/ios 127xe/qos.htm, the disclosure of which is incorporated herein by reference, which are available from Cisco, perform QoS tasks which are based on general rules. These general rules allow a network manager to assign different QoS to packets of different protocols, e.g., FTP, MAIL and HTTP. In addition, these rules allow assigning different QoS to frames received through different physical ports. Furthermore, these rules allow trusting the tagged QoS in frames which carry specific IP source addresses. Also these switches allow use of the value of the ToS field 47 of the IP header of the packet in determining the QoS they use.
In an attempt to provide QoS per session within LANs, it has been suggested by the Internet Engineering Task Force (IETF) in “SBM (Subnet Bandwidth Manager), A Protocol for RSVP-based Admission Control over IEEE 802-style networks”, draft-ietf-issll-is 802-sbm-10.txt, the disclosure of which is incorporated herein by reference, that when an end-station desires to form a connection with a high QoS, the end-station sends a special request message to the destination. All the switches along the path to the destination determine whether they agree to the high QoS to the connection. If all the switches agree to the special QoS, the switches program their hardware to handle with high QoS all frames belonging to the connection defined by the special request message.